CVE-2018-20164: ReDoS

February 13, 2019 (updated October 2, 2019)

The programming library UA-Parser uses regular expressions to identify user agent strings. The complexity of the regular expressions is such that an attacker can craft special patterns that keep the server busy for a long time. By sending many requests in short order, an attacker can exhaust the amount of processing power available.

References

github.com/ua-parser/uap-core/pull/363/files
nvd.nist.gov/vuln/detail/CVE-2018-20164
www.openwall.com/lists/oss-security/2019/01/10/2
www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/

Detect and mitigate CVE-2018-20164 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →